NuGet and sigstore

I stumbled across the sigstore project and mostly found information on how it helps avoid tampered npm packages.

Is this also relevant for NuGet packages? Or is the attack vector sigstore addresses with npm not relevant for NuGet?

Solution

It is relevant to NuGet packages, since they can be signed. Unfortunately for Nuget.org use case, Microsoft requires signing with public certificate authority that is on their approved list. And Sigstore isn't on that list.

So Nuget.org would require some changes to support Sigstore if Sigstore isn't added to the list. And I haven't seen any issue opened for this on Nuget's issues page.

You can naturally do verifications by yourself if you have your own NuGet repository.

I want to install the "n" package and I get an error
n <version> command does not activate specified version
Change n install location
How to install a specific version of Node on Ubuntu/Debian?
Different node version for different projects, is there a way of telling node which version to use?
Install Node.js to install n to install Node.js?
How to select the latest node.js v6 version using n?
n-install: ERROR: GNU Make not found, which is required for operation
How to downgrade Node version with n
how switch to previous version in n (Node version manager)?
Automatically use the right version of Node for a package
internal/modules/cjs/loader.js:905 -> throw err;
Why doesn't "n" downgrade my node version on a Mac?
Node version manager
n failed to install/switch node in Linux?
vue command not found on Mac
How to uninstall n and all node versions installed by n
Angular CLI on HTTPS - can't install CI as root
n (node version manager): cannot create directory
npm module n emits errors
How to update npm permanently?
Cannot change nodejs version using n
upgrade nodejs to stable version
How should I install and use multiple versions of Node on the same production machine?